Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Access Approval for Document AI Resources

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Access Approval is enabled within the Google Cloud Platform (GCP) project that manages your Document AI resources in order to allow you to require your explicit approval whenever Google personnel need to access your Document AI data. Once the Access Approval feature is enabled, you can delegate users within your organization who can approve the access requests by giving them a security role in Identity and Access Management (IAM). These requests show the requester name/ID in an email or Pub/Sub message that you can choose to approve. This creates a new control and logging layer that reveals who in your organization approved/denied access requests to your GCP projects.

Security
Operational
excellence

Controlling access to your Document AI data is crucial when working with business-critical and sensitive data. With Access Approval, you can be certain that your cloud information is accessed by approved Google personnel only. The Access Approval feature ensures that a cryptographically-signed approval is available for Google Cloud support and engineering teams when they need to access your AI data (certain exceptions apply). By default, Access Approval and its dependency of Access Transparency are not enabled.

Audit

To determine if Access Approval is enabled for your Google Cloud Document AI resources (i.e., Document AI processors), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains your Document AI processors from the top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select Settings.

05 Access Transparency is a dependency of the Access Approval. Check the status of the Access Transparency feature, available under Access Transparency. If the status is not set to Enabled, Access Transparency is disabled for the selected project. As a result, Access Approval is disabled for the selected GCP project and the Audit process ends here. If the Access Transparency status is set to Enabled, you can continue the Audit process with the next step.

06 Navigate to Google Cloud Security console available at https://console.cloud.google.com/security.

07 In the left navigation panel, under Detections and Controls, select Access Approval.

08 Check the operational status of the Access Approval feature. If the feature status is not available, instead an enrollment page is displayed (i.e., the Enroll button is visible), the Access Approval security feature is not enabled for the Document AI resources within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each GCP project available within your Google Cloud account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-123123

03 Run access-approval settings get command (Windows/macOS/Linux) with the ID of the GCP project that contains your Document AI processors as the identifier parameter, to describe the Access Approval settings associated with the selected project: 

gcloud access-approval settings get
	--project cc-web-project-112233

04 The command output should return the requested Access Approval settings. If the command output returns the following error: ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed., Access Transparency (a dependency of Access Approval) is not enabled. As a result, Access Approval is disabled. Otherwise, the command output should return the feature settings: 

API [accessapproval.googleapis.com] not enabled on project [cc-web-project-112233]

If the access-approval settings get command output does not return the Access Approval settings, instead the following message is displyed: API [accessapproval.googleapis.com] not enabled on project [\], the Access Approval security feature is not enabled for the Document AI resources within the selected GCP project.

05 Repeat steps no. 3 and 4 for each GCP project created within your Google Cloud account.

Remediation / Resolution

To enable the Access Approval security feature for your Google Cloud Document AI resources (i.e., Document AI processors), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that contains your Document AI processors from the top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console available at https://console.cloud.google.com/iam-admin/iam.

04 In the left navigation panel, select Settings.

05 To enroll in Access Approval, ensure that Access Transparency is enabled for your project's organization. On the Settings page, check the status of the Access Transparency feature, available under Access Transparency. If the feature is not enabled, choose Enable access transparency for organization to enable Access Transparency.

06 Navigate to Google Cloud Security console available at https://console.cloud.google.com/security.

07 In the left navigation panel, under Detections and Controls, select Access Approval.

08 In the Access Approval section, choose Enroll to enable Access Approval for the selected GCP project.

09 To make use of Access Approval, receive email notifications of access requests for your GCP project, and approve incoming access requests, perform the following actions:

  1. To view and approve access requests, you must grant yourself the Access Approval Approver role (i.e., roles/accessapproval.approver):
    1. Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.
    2. In the left navigation panel, select IAM.
    3. Select the Allow tab, choose View by principals, and select Grant access to add a new principal.
    4. For Add principals, enter your email address in the New principals box.
    5. For Assign roles, click inside the Select a role box, and choose the Access Approval Approver role from the Roles list.
    6. Choose Save to save the changes.
  2. To add yourself as an approver in order to review and approve access requests, perform the following actions:
    1. Navigate to Google Cloud Security console at https://console.cloud.google.com/security.
    2. In the left navigation panel, under Detections and Controls, select Access Approval.
    3. Choose Manage settings to access the Access Approval feature configuration settings.
    4. In the Access Approval section, choose Enroll to enable Access Approval for the selected GCP project.
    5. For Set up approval notifications, add your email address in the User or group email box.
  3. Now that Access Approval is enabled and you added yourself as an approver for access requests, you can expect to receive email notifications for access requests. On the Access Approval page, select the access request that you want to approve, and choose Approve for confirmation.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) to enable the Access Approval API for your Google Cloud Platform (GCP) project (Access Transparency must be enabled for your project's organization): 

gcloud services enable accessapproval.googleapis.com
	--project cc-web-project-112233

02 Run access-approval settings update command (Windows/macOS/Linux) with the ID of the GCP project that contains your Document AI processors as the identifier parameter, to enable Access Approval for all the Document AI resources available in the selected project. Replace \<approval-email-address\> with the email recipient chosen for access approval requests: 

gcloud access-approval settings update
	--project=cc-web-project-112233
	--enrolled_services=all
	--notification_emails='<approval-email-address>'

03 Repeat steps no. 1 and 2 for each GCP project created within your Google Cloud account.

References

Publication date Jul 28, 2025

Related DocumentAI rules